Microsoft this past week released its April 2024 Patch Tuesday updates for Windows 10 (KB5036892), Windows 11 (KB5036893), and more. As is often the case, users encountered various problems and issues when trying to install the updates.
Regardless, the updates address several critical security issues. Earlier today, we covered a couple of Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056.
Meanwhile, the April 2024 Patch Tuesday also has updated mitigations for the BlackLotus security vulnerability which bypasses Secure Boot and is identified by CVE ID "CVE-2023-24932." Updated Secure Boot, though, won"t help you with the LogoFAIL vulnerability that we recently covered.
Like the one for Kerberos PAC validation, the mitigations are not enabled by default and have to be enforced.
Microsoft has also cautioned about the various known issues. For example, the mitigations are blocked on Windows Server 2012 and Server 2012 R2 systems due to an incompatibility with TPM (Trusted Platform Module) 2.0.
Microsoft explains:
TPM 2.0-based systems: These systems that run Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the April 9, 2024 security update because of known compatibility issues with TPM measurements. The April 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.
Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.
The full list of known issues is given below:
- HP: HP identified an issue with mitigation installation on HP Z4G4 Workstation PCs and will release an updated Z4G4 UEFI firmware (BIOS) in the coming weeks. To ensure successful installation of the mitigation, it will be blocked on Desktop Workstations until the update is available.
- HP devices with Sure Start Security: These devices need the latest firmware updates from HP to install the mitigations. The mitigations are blocked until the firmware is updated.
- Arm64-based devices: The mitigations are blocked due to known UEFI firmware issues with Qualcomm-based devices. Microsoft is working with Qualcomm to address this issue. Qualcomm will provide the fix to device manufacturers.
- Apple: Mac computers that have the Apple T2 Security Chip support Secure Boot. However, updating UEFI security related variables is available only as part of macOS updates. Boot Camp users are expected to see an event log entry of Event ID 1795 in Windows related to these variables.
VMware: On VMware-based virtualization environments, a VM using an x86-based processor with Secure Boot enabled, will fail to boot after applying the mitigations. Microsoft is coordinating with VMware to address this issue.
Symantec Endpoint Encryption: Secure Boot mitigations cannot be applied to systems who have installed Symantec Endpoint Encryption. Microsoft and Symantec are aware of the issue and will be addressed in future update.
You can find more technical details alongside the full timeline for the release on the support document on Microsoft"s website.